Researchers have found an earlier version of the MiniDuke espionage malware that dates to June 2011 – almost a year ahead of the previously oldest variant designed to spy on NATO, European governments and U.S. research and think tanks. Unlike the cyberspyware discovered last week, this one embedded a U.S. Navy clock, not one running on Chinese time.
“The discovery of this older MiniDuke malware strain raises questions about the origin of the 2012 samples and the malware as a whole,” said Catalin Cosoi, chief security strategist for Romania-based Bitdefender, in a prepared statement. “The switch from a U.S. Navy clock to a Chinese clock suggests the malware’s designers are simply throwing up a smoke cloud as to their identity.”
Last week researchers at Kaspersky Labs and CrySyS Lab announced the discovery of the low-profile MiniDuke, which uses infected PDFs of an invitiation to a bogus conference to infiltrate networks. The malware developers exploited a vulnerability in Adobe Reader 9-11 that the company patched Feb. 20. Once on a compromised machine, the attackers could copy and move files to their servers, create new directories, kill processes and install additional malware. It’s been described as “old school malware” with a modern touch – using Twitter and Google to assist with command and control.
Though MiniDuke’s impact has been limited in both number and scope (mostly Europe, the Middle East, Brazil and the United States), the malware’s attack vector intrigued the security community. All versions appear to have been created to spy on governments and suggest state sponsorship, though MiniDuke’s origins remain controversial.
“The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,” a Kaspersky and CrySyS report said. “Some of the elements remind us of both Duqu and Red October, such as the minimalistic approach, hacked servers, encrypted channels but also the typology of the victims.”
The earlier version announced Monday by BitDefender Labs was based on a sweep of samples in detection logs. This iteration appears to still be waiting for encrypted command and control instructions via an active Twitter account.
“There is no Google search backup way to contact command and control servers (if connecting to Twitter fails, then nothing happens). So we can see that the use of Google search technique has been introduced after 2011,” the company said. “There are also new (to us) Twitter indicatives: ObamaApril and Qae9XMs. In this earlier version the malware connects to twitter.com directly, instead of via mobile.twitter.com as in 2012/2013 versions.”
That Twitter account was still active.
Its last and single post is from Feb 21, 2012, which when decoded led to a presumably hacked server at “http://afgcall.com/demo/index.php. “However, no files have been found on that particular server. This is probably because the malware sample is so old that the command and control server is no longer active.”